Don't Delay: Replace Symantec TLS/SSL Certs Now

A major operation to cleanse websites of dodgy digital certificates created under questionable circumstances has begun. Google has issued the orders: Purge digital certificates that were issued by Symantec before June 1, 2016.

The clean-out orders mark a step forward following a sharp spat between two major technology companies. Google, as well as other browser makers, including Mozilla, were concerned that Symantec's digital certificate business had lost quality control, resulting in dangers for those who browse the web.

Symantec has long been in the business of selling the digital certificates that secure an encrypted connection between someone's web browser and a service. Known as Transport Layer Security, or its older name, Secure Sockets Layer, the certificates are crucial for security, scrambling web traffic so it's unreadable to outsiders.

Symantec had a robust TLS business. Through acquisitions of TLS businesses run by VeriSign, Thawte, Equifax and others, it held about 30 percent of the market.

Part of the reason Google became so involved in the debate is that it was one of the victims of lax TLS issuance. Google charged in September 2016 that it found Symantec's Thawte division issued extended validation pre-certificates for www.google.com and google.com, an egregious and potentially dangerous error.

There are several flavors of TLS certificates, with varying levels of verification that are supposed to be performed by the issuer. But extended validation certificates - often the most expensive kind to purchase - are supposed to have the highest level of assurance that the requester has been vetted.

The dispute spilled out in public. Symantec asserted in March that Google's public statements were "unexpected" and "irresponsible." It also disputed Google's contention that it had found 30,000 certificates that had been improperly issued, instead saying it had found only 127 suspect ones.

Nonetheless, Symantec bailed on its SSL business. It announced last month that it would sell its website security and PKI business to DigiCert for $950 million plus 30 percent in common stock equity. DigiCert appeared enthusiastic about the challenge, saying: "We feel confident that this agreement will satisfy the needs of the browser community."

What You Need To Do

On Monday, Google outlined in a blog post the timelines for when website operators need to replace their certificates. If the certificates are not replaced, Google's Chrome browser will warn of an invalid certificate in place and that the site should not be trusted.

DigiCert's infrastructure will begin handling the issuing of new certificates on Dec. 1. "Certificates issued from the old Symantec infrastructure after this date will not be trusted in Chrome," according to a post in Google's developer forum.

The race will be on to replace those certificates issued by Symantec before June 1, 2016, in advance of the release of Chrome 66. That version of the browser will be released in beta on March 15, 2018, and to stable users around April 17, 2018, Google says.

"The distrust of these certificates is necessary and is specifically targeted at removing the risk of trusting old certificates that were issued under an inadequately controlled infrastructure," according to the forum post.

Google and Mozilla hoped to begin distrusting the certificates by the end of this year. But the timeline was moved due to the size of Symantec's TLS business and the need to give operators enough time to make the changes.

Site operators will need to obtain new certificates that come from a trusted Certificate Authority, which are supposed to abide by the security guidelines of the CA/Browser Forum.

Google says its Chrome 70, due to come out on Oct. 23, 2018, will fully "remove trust in Symantec's old infrastructure and all of the certificates it has issued. This will affect any certificate chaining to Symantec roots, except for the small number issued by the independently-operated and audited subordinate CAs previously disclosed to Google."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.